I identified a few applications, which produce errors: eix, iptstate, busybox, squid, dnsmasq and perhaps some more. Now I am unsure what to to - should I fix the labels of the files? Or should the applications get more rights? I read http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml but I still have problems with understanding and implementing the correct contexts.

selinux-squid and selinux-dnsmasq are installed - I guess, that I simply have to adjust the permissions.

To keep it short: I do not know how to react on log messages like the ones above.

Any help would be really appreciated.

Best regards,
Jimini_________________"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)

I would suggest looking into Hardened Gentoo, instead. Hardened Gentoo includes SELinux, and they furnish a targeted policy. I would think it much easier to pick up a working policy from there, rather than trying to do one on your own, especially if you're not currently experienced with it._________________.sigs waste space and bandwidth

thank you for your reply. Maybe I misunderstand you, but I am using a hardened kernel (3.7.0) and a correct profile (hardened/linux/amd64/no-multilib/selinux). I installed all available (and needed) policies, as shown by semodule -l:

Your initial post left me with the impression that you were trying to roll SELinux on your own, installing it on top of regular Gentoo. I suggested that hardned Gentoo would be a better starting point._________________.sigs waste space and bandwidth

Oh, then you got me wrong :)
I run a hardened kernel with the correct profile. SELinux seems to wokr so far, I have just problems with a few single applications, that seem not to have the correct permissions.

Best regards,
Jimini_________________"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)

Oh, now it seems so simple...I installed sys-process/audit, which brings a few useful applications like audit2allow. This programm reads the denial messages from (e.g.) /var/log/audit/audit.log
and creates type enforcement rules.

I'll wait a few days and keep an eye on that.

Best regards,
Jimini_________________"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)

I've always kind of felt that I should be running something like this, but it was always too intrusive to get started. I'll be curious to learn from your experiences.

One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition. That was one of the things that led me to turn it off._________________.sigs waste space and bandwidth

One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition. That was one of the things that led me to turn it off.

Hm...you could create the file /.autorelabel on shutdown. So the whole filesystems gets relabeled on booting the SELinux OS.

Best regards,
Jimini_________________"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)